| File name: | 3k7RNwxPVP2bvx7kUmCHwf.zip |
| Full analysis: | https://app.any.run/tasks/7558dcb0-ec95-40b5-a3a9-d051b084db59 |
| Verdict: | Malicious activity |
| Analysis date: | February 29, 2024, 04:27:32 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | E9ADBC31445CB22DFA5A22E8ABB3328E |
| SHA1: | CED99FD82FA76031426AE079270091438F1F1293 |
| SHA256: | B6626E55F517B2BB9C095E7BB34C1C2FC35C34D31E2CAA07B48EE9F61E6E97FF |
| SSDEEP: | 393216:Wh49tDS1kULF9KsXQKYFZ9HFc79xWMIQBg6nSnu4sCmM7galnsl6GT3wBo:WefDS1LL7SZ9lcBMMxguSu4t5hENqo |
MALICIOUS
Drops the executable file immediately after the start
- PdfConverters.exe (PID: 5608)
SUSPICIOUS
Process drops legitimate windows executable
- PdfConverters.exe (PID: 5608)
The process creates files with name similar to system file names
- PdfConverters.exe (PID: 5608)
Executable content was dropped or overwritten
- PdfConverters.exe (PID: 5608)
The process drops C-runtime libraries
- PdfConverters.exe (PID: 5608)
INFO
Checks proxy server information
- slui.exe (PID: 3240)
Manual execution by a user
- PdfConverters.exe (PID: 5608)
- firefox.exe (PID: 4008)
Checks supported languages
- PdfConverters.exe (PID: 5608)
Reads the software policy settings
- slui.exe (PID: 3240)
Create files in a temporary directory
- PdfConverters.exe (PID: 5608)
Reads the computer name
- PdfConverters.exe (PID: 5608)
Creates files in the program directory
- PdfConverters.exe (PID: 5608)
Reads Microsoft Office registry keys
- firefox.exe (PID: 6040)
Application launched itself
- firefox.exe (PID: 4008)
- firefox.exe (PID: 6040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:02:29 04:02:18 |
| ZipCRC: | 0x0188e77a |
| ZipCompressedSize: | 63572532 |
| ZipUncompressedSize: | 157801528 |
| ZipFileName: | PdfConverters.exe_ |
Total processes
148
Monitored processes
15
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1108 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6040.1.2021876536\1663587235" -parentBuildID 20230321111920 -prefsHandle 2296 -prefMapHandle 2292 -prefsLen 27131 -prefMapSize 238085 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9e56d24-fc34-484e-b770-2671055ec0b3} 6040 "\\.\pipe\gecko-crash-server-pipe.6040" 2308 22838bfaf58 socket | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 111.0.1 Modules
| |||||||||||||||
| 1776 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6040.0.1238108991\920167161" -parentBuildID 20230321111920 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 27131 -prefMapSize 238085 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ef95b98-cec4-4b70-b367-4d56d1565c45} 6040 "\\.\pipe\gecko-crash-server-pipe.6040" 1820 228380a9358 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 1 Version: 111.0.1 Modules
| |||||||||||||||
| 2152 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6040.3.330861290\118842026" -childID 2 -isForBrowser -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 32967 -prefMapSize 238085 -jsInitHandle 1504 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a5beae0-0602-43d2-83a4-ea3723ca5634} 6040 "\\.\pipe\gecko-crash-server-pipe.6040" 4280 2282b97c258 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 111.0.1 Modules
| |||||||||||||||
| 3240 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3652 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6040.7.1646264698\1149318849" -childID 5 -isForBrowser -prefsHandle 5108 -prefMapHandle 5140 -prefsLen 29575 -prefMapSize 238085 -jsInitHandle 1504 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ad1a697-36a2-4f16-ab71-9420bb263fb1} 6040 "\\.\pipe\gecko-crash-server-pipe.6040" 5348 2282b976d58 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 111.0.1 Modules
| |||||||||||||||
| 3824 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6040.4.554539745\1284006986" -parentBuildID 20230321111920 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 4956 -prefsLen 32967 -prefMapSize 238085 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15cf5dd2-506a-4a00-8798-21526ac3cc6b} 6040 "\\.\pipe\gecko-crash-server-pipe.6040" 2484 228419a0258 utility | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 1 Version: 111.0.1 Modules
| |||||||||||||||
| 3872 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6040.5.2112259970\1319163800" -childID 3 -isForBrowser -prefsHandle 2484 -prefMapHandle 4300 -prefsLen 29575 -prefMapSize 238085 -jsInitHandle 1504 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad3e2ef5-0c8d-4251-b366-3d894d903a7f} 6040 "\\.\pipe\gecko-crash-server-pipe.6040" 5108 228414ce858 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 111.0.1 Modules
| |||||||||||||||
| 3980 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6040.9.1837401434\1898539304" -childID 7 -isForBrowser -prefsHandle 4676 -prefMapHandle 8228 -prefsLen 29760 -prefMapSize 238085 -jsInitHandle 1504 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3970a3d3-dfd8-4872-8acf-cd1810e02bda} 6040 "\\.\pipe\gecko-crash-server-pipe.6040" 5996 2282b97a458 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 111.0.1 Modules
| |||||||||||||||
| 4008 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 111.0.1 Modules
| |||||||||||||||
| 4744 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6040.8.1602832527\524823201" -childID 6 -isForBrowser -prefsHandle 9836 -prefMapHandle 9844 -prefsLen 29760 -prefMapSize 238085 -jsInitHandle 1504 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8b4e1d8-6c02-45b9-ae8d-38d5ca753875} 6040 "\\.\pipe\gecko-crash-server-pipe.6040" 9848 2282b9f6358 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 111.0.1 Modules
| |||||||||||||||
Total events
22 829
Read events
22 696
Write events
128
Delete events
5
Modification events
| (PID) Process: | (5192) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\General |
| Operation: | write | Name: | VerInfo |
Value: 005B0500B0C0A4AFC76ADA01 | |||
| (PID) Process: | (5192) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (5192) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (5192) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Downloads\3k7RNwxPVP2bvx7kUmCHwf.zip | |||
| (PID) Process: | (5192) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (5192) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (5192) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (5192) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5192) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\36\52C64B7E |
| Operation: | write | Name: | @C:\WINDOWS\System32\msxml3r.dll,-1 |
Value: XML Document | |||
| (PID) Process: | (5192) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
Executable files
521
Suspicious files
102
Text files
31
Unknown types
55
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5192 | WinRAR.exe | C:\Users\admin\Desktop\PdfConverters.exe_ | — | |
MD5:— | SHA256:— | |||
| 5608 | PdfConverters.exe | C:\Users\admin\AppData\Local\Temp\.net\PdfConverters\15e8\runtimes\win-x86\native\WebView2Loader.dll | executable | |
MD5:33F7FA1198C0BF4988A0210F144B20B4 | SHA256:8C1B0AE8B7E7AA402407F00F22EFB1989E47AEAA9C6A1FFA98341672D9ECF6DC | |||
| 5192 | WinRAR.exe | C:\Users\admin\Desktop\metadata.json | binary | |
MD5:95FCE83AD576041CC8736DA4861E0C78 | SHA256:ADD0E14D139592CB68E52EF81EB27699C0AE612C3F24F7297BA7CCC92E17E761 | |||
| 5192 | WinRAR.exe | C:\Users\admin\Desktop\file-acquisition-raw-issues.0FEQuk7UZWl5oxmI0qFrPF.xml | xml | |
MD5:DF7972AC26DF2CAA28114773E2966304 | SHA256:BD4E548388E1D08E6F27B1B8AE90E5C1DED51655DB21E987A6141720CDDCC41C | |||
| 5608 | PdfConverters.exe | C:\Users\admin\AppData\Local\Temp\.net\PdfConverters\15e8\Microsoft.CSharp.dll | executable | |
MD5:EF890172F46CC8AEB5E9A73F94285FBA | SHA256:C7A8497165273BDA4CB92EDB6758E3FB1DEB78F9670FB1471A79550CA5D8D065 | |||
| 5608 | PdfConverters.exe | C:\Users\admin\AppData\Local\Temp\.net\PdfConverters\15e8\app.runtimeconfig.json | binary | |
MD5:97F81F01645EFC1B501B1F947EC6367D | SHA256:5A56D8934A12389B8F7276399A06CE2C8D05BD15A9F2529F14C843AC78E4A88A | |||
| 5192 | WinRAR.exe | C:\Users\admin\Desktop\script.xml | xml | |
MD5:05EC1354343915BDBABBDD854C5EE103 | SHA256:BB495FE88A706E18C531E53C52D2F8CFFF4840387BC3F75C1E8E2747773E7951 | |||
| 5608 | PdfConverters.exe | C:\Users\admin\AppData\Local\Temp\.net\PdfConverters\15e8\System.Buffers.dll | executable | |
MD5:EE51A763EA8CD7A3115ECB3C99A5544C | SHA256:8E4F4A2A7E7A389F86004EE0B0DCFF9E99F0375CD4AE8B1E3F751626FC633973 | |||
| 5608 | PdfConverters.exe | C:\Users\admin\AppData\Local\Temp\.net\PdfConverters\15e8\app.dll | executable | |
MD5:2E92DB69EBDAB1E5250985FC08CA87DF | SHA256:93FC5C91921DFC15F8173B8488A35A74998E3096BD24EAA42CD8087713CD43E1 | |||
| 5192 | WinRAR.exe | C:\Users\admin\Desktop\manifest.json | binary | |
MD5:18A68CA6E45E50B66A02C2BBAAA0FB04 | SHA256:D2D4C03C6B4D072B0DAF6BB5E8AB74D117E314B3DACEE7067E0BAAB1E5114207 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
90
DNS requests
132
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | unknown |
2720 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | binary | 1.01 Kb | unknown |
6188 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D | unknown | binary | 313 b | unknown |
1296 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D | unknown | binary | 471 b | unknown |
2464 | svchost.exe | GET | 200 | 2.23.197.184:80 | http://x1.c.lencr.org/ | unknown | binary | 717 b | unknown |
6040 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | unknown | text | 8 b | unknown |
6040 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | text | 90 b | unknown |
6040 | firefox.exe | POST | 200 | 23.32.238.49:80 | http://r3.o.lencr.org/ | unknown | binary | 503 b | unknown |
6040 | firefox.exe | POST | 200 | 23.32.238.49:80 | http://r3.o.lencr.org/ | unknown | binary | 503 b | unknown |
6040 | firefox.exe | POST | 200 | 23.32.238.49:80 | http://r3.o.lencr.org/ | unknown | binary | 503 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3848 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
6896 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5928 | svchost.exe | 20.190.159.73:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5928 | svchost.exe | 20.190.159.4:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5928 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
2720 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6828 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2720 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
arc.msn.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
Threats
Process | Message |
|---|---|
PdfConverters.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|